CSS 11503 One-arm Design and Server Default Gateway

Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
Thanks!
Tom

Hi Tom,
If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
I hope you find this helpful. Thanks!
Regards,
Jose Quesada.

Similar Messages

  • CSS 11503 One armed config

    All,
    I got a question on the one armed config.
    Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
    Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
    thanks

    if you set the default gateway to be the CSS, then there is no need for the source group.
    However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
    If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
    Gilles.

  • ACE 4700 one-arm design with SSL termination

    Hi,
    We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
    1. Are there any limitations in the one-arm design and the SSL offloading
    2. Can the ACE be configured with an IN and an OUT vlan to the router
    CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
    so that the SSL and the clear text traffic is in a separate Vlan?
    3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
    I would appreciate if you can share some sample configs
    Regards,
    George Georgiou

    There are two ways to implement One Arm topology.
    1. One Arm with PBR & 2.One Arm with SRC NAT
    PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
    1. Are there any limitations in the one-arm design and the SSL offloading
    The limitations/config issues I can think of are following
    One ARM with PBR:
    Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
    One ARM with SRC NAT:
    You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
    2. Can the ACE be configured with an IN and an OUT vlan to the router
    CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
    so that the SSL and the clear text traffic is in a separate Vlan?
    Yes you can do that but wouldnt it make it routed mode topology?
    3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
    As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
    Details at
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
    HTH
    Syed Iftekhar Ahmed

  • Sniffer Trace on ACE w/VACLs and One-Arm Design

    Wow...that was a mouthful of a title!
    Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
    client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
    The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
    interface GigabitEthernet x/xx
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    switchport capture
    switchport capture allowed vlan 3002
    no ip address
    no cdp enable
    Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
    bc

    This can be done by setting up a monitor session on the Sup, with the
    TenGig/1 as SPAN
    source, and a trunk port as SPAN destination.
    For example, if the ACE is in slot X, the configuration would be:
    monitor session 10 source interface TeX/1
    monitor session 10 destination interface Giy/z
    The configuration for this port would be:
    int giy/z
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    Syed Iftekhar Ahmed

  • CSS11500 one arm design configuration assistance.

    Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
    Regards

    yes you can configure CSS in one armed mode. You would do the nat with a group config ie:
    service yada
    ip address 192.168.20.40
    active
    content yadayada
    vip address 192.168.20.55
    add service yada
    group yadayadayada
    vip address 192.168.20.55
    add destination service yada

  • Source Nating in CSM one armed design

    What is the best practice for creating Source Nating in CSM One armed design? I am doing CSS to CSM migration. I have created the NATPOOL used the VIP address like natpool CSS0 10.xxx.xx.xxx 10.xxx.xx.xxx netmask 255.255.255.0. I did experience some latency after migrating to CSM. Then I used diffrent Ip address is the NATPOOL that improved the latency. Is there any documentation which clearly explains this issue?
    Thanks

    the natpool will have no impact on performance.
    The problem must come from somewhere else.
    You should capture a sniffer trace and verify what is going on.
    Gilles.

  • CSS deployment - server default gateway options

    When using a single CSS11503, can the loadbalanced server default gateway be configured to route traffic to a router rather than the CSS inside interface? Most of the documentation suggests using the CSS inline to the traffic flow, are there options for 'on a stick' deployment.
    Can the same solution be used if a pair of CSSs switches are configured for stateful failover, or do the CSSs need to record inside and outside traffic for stateful failover.
    Can you provide information for configuring the CSS on a stick? so that the CSS is not a bottleneck?

    the CSS requires to see both side of a connection even if you don't need statefull failover.
    There is no option for Direct Server Return (DSR).
    You could have a different gateway on the server, so most of your traffic goes via the router, and then you need to use a client nat pool on the CSS so the server thinks the client is locally attached and respond to the CSS without going through the default gateway.
    Only drawback is that the server will see connections coming from only 1 ip.
    Gilles.

  • One armed bandit and one port to another

    I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
    http://www.cisco.com/warp/public/117/one_armed_bandit.html
    group Servers1
    vip address 26.19.98.45
    add destination service oldwww:80
    active
    group Servers2
    vip address 26.19.98.45
    add destination service oldwww:443
    css-n1-1(config)# group Servers2
    css-n1-1(config-group[Servers2])# active
    %% An active source group with that address already exists

    The port number of the vip does not have to to be the same as the real server.
    You can set the port you want for the real server with the 'port' command under the service definition.
    This is true for one-armed or any other type of setup.
    The problem in your config is that you can't create 2 groups using the same vip ip address.
    So, simply configure all your servers under one group.
    ie:
    group Servers1
    vip address 26.19.98.45
    add destination service oldwww:80
    add destination service oldwww:443
    active
    Gilles.

  • CSS one-armed-config and SMTP reverse lookup problems?

    I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
    If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
    If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
    Is this a valid concern?

    The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
    In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
    http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

  • One armed VIP and FTP

    I have a need to use the one armed load balance for some servers. I have 4 contens setup using this and I have the four corresponding Groups setup. Two of the contents work fine they are using SSL. The other 2 fail and they are both using FTP. It looks like it is failing on the data channel connection because I can login to the server but cannot get any data. Is there a way to correct this.

    check the following URL:
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml
    it explains you need a source group for the ftp data connection.
    Since you also need a group to nat client ip address, you have a problem since you can't do both at the same time.
    The solution is to use ACL and the 'sourcegroup option'.
    So you keep your group but you removed all the service attach inside it.
    Then you create an ACL like this one
    acl 1
    clause 10 permit tcp any destination eq 21 sourgroup
    apply circuit(VLAN-client)
    acl2
    clause 1o permit tcp destination any sourcegroup
    apply circuit(vlan-server)
    This should work.
    If not, make sure to try both passive and active ftp to see if at least one works.
    Gilles.

  • Meaning of one-arm setup and src nat

    I've worked previously on CSS platform and recall deploying one-arm mode, which simply meant connecting the appliance via single physical trunk link.
    In terms of the ace some docos and ANM seem to suggest that one-arm requires src nat, if true why is that unless one-arm now translates to one-vlan?.
    btw i know about asymetric routing and src nat, but what i'm failing to get is how that relates to one-arm.
    thanks

    Hello Ajaz,
    generally the convention is to call one arm those setups where both client and servers, for a certain loadbalanced service (so VIP), belong to the same VLAN, see for example how it's defined here:
    http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples
    not sure whether the definition has changed over time, I would guess that it can be intended in the physical sense (single link) so as you do, or in the logical sense, where 2 VLANs would represent 2 arms even if the physical connectivity is provided through just one link. From my experience, in the LB field the logical interpretation is prevalent.
    Thanks,
    Francesco

  • How do I change the name of my iPhone? I bought one for wife and it defaulted to same name

    How do I change the name of my iPhone?
    I bought my wife a phone and it defaulted to the same name as my iPhone.

    Double click the name under devices on the left side of itunes and type whatever you like.

  • Virtualisation and One Arm mode

    Hi All ,
    Is it possible to make one context and one arm mode and rest in normal
    -parvees

    Yes, no restriction. 1-arm mode is just placing the VIP in server's subnet and using source NAT for clients.

  • Meetingplace server crash and lost the default gateway info

    HI all
    I have ver 2.0.1.15. I have first eth0 on ip 10.1.1.18 and 2nd eth1 192.168.162.21. will crash and the default gateway on eth0 will be gone. Am i doing something wrong.

    Shannon,
    Harry is asking you the right question, because a theme with any bad syntax in it (especially custom XSLT files) will get scrapped when the server restarts.
    Try to think of something you changed recently, revert it to see of the theme will show up, and try to find the syntax error in your recent changes.
    This caught me by surprise when it first happened, but I suppose it is a nice feature. The Wiki Server falls back on a theme that works, which are the built-in ones. It would be nice if the errors were logged instead of just scrapping the theme, but I assume the spirit is to give you a wiki that works, rather than a nicely themed wiki that has errors.

  • Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921

    Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
    Thanks

    if you want to do DNAT, you have to it a content rule.
    The vip will be nated to the service address.
    Then you need a group to nat the client ip.
    Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
    Gilles.

Maybe you are looking for